The "Poll Microsoft Outlook on a Schedule for New Messages for Cases" workflow template is designed to streamline email case management by automatically retrieving new messages from Outlook at regular intervals. It extracts and enriches email components, such as EML files, and generates detailed Torq cases. This process includes URL defanging, QR code scanning in attachments, and SPF/DKIM verification, ensuring comprehensive email analysis and documentation. Ideal for businesses seeking efficient email threat management and case creation.

Use Cases

Case Management

Workflow Breakdown

Polls Outlook for new messages, passing EML files to a nested workflow for content gathering.
Enrichment/linking occurs before mapping to generate a Torq case with email/nested email info.
EML inspection resolves URL hostnames, provides verdicts, and defangs URLs for the Torq case.
Image attachments are checked for QR codes; findings and observables are added as case comments.
Torq case includes EML details, HTML header notes, SPF/DKIM verdicts, and an HTML body screenshot.

Vendors

Scripting, Utils, Microsoft Outlook, Microsoft 365, Torq, Torq Cases, Data Transformation

Tips

Community Post: https://community.torq.io/case-management-getting-started-7m5qtn0s/post/creating-cases-from-an-office365-mailbox-ReF6pOS2dlV2UzW

Workflow Template: Send a Microsoft Outlook Email to Assignee in a Torq Case

Workflow Template: Poll for New Microsoft Defender for Endpoint Events for Cases

Workflow Template: Poll for new SentinelOne Threats and Open a Torq Case

Workflow Template: Poll for new CrowdStrike Alerts and Open a Torq Case

Workflow Template: Create Case from Microsoft XDR Incident

Workflow Template: Poll Microsoft Outlook on a Schedule for New Messages for Cases

Use Cases

Workflow Breakdown

Vendors

Tips